On September 29, 2020, the Federal Government issued an Interim Rule on cybersecurity requirements that impacts any company that does business with the Department of Defense (DoD) directly or indirectly. The Interim Rule, which updates the Defense Federal Acquisition Regulation Supplement (DFARS) and takes effect on November 30, 2020, included a surprise. While it accounts for the rollout of the forthcoming Cybersecurity Maturity Model Certification (CMMC) as anticipated, it also mandates reporting requirements with respect to compliance with the 110 security controls found within Special Publication 800-171 from the National Institute of Standards and Technology (NIST SP 800-171).
Per DFARS clause 252.204-7012, any organization that handles or stores Controlled Unclassified Information (CUI) already needed to create one or more System Security Plans (SSPs), use the SSPs to self-assess and self-attest to their compliance with NIST SP 800-171, and create Plans of Actions and Milestones (POA&Ms) to account for compliance gaps and shortcomings. The Interim Rule adds DFARS 252.204-7019 and -7020, which state that these organizations now must conduct a Basic Assessment of compliance using their SSPs and calculate their score, starting from the maximum of 110. Full compliance with all of the NIST SP 800-171 controls maintains the maximum score. Organizations must deduct 1 to 5 points, on a weighted scale, for each unimplemented or partially-implemented control, which means the final score can be as low as -203! Affected members of the DIB must enter their scores on the Supplier Performance Risk System (SPRS), along with the date by which they commit to resolving shortcomings and achieving the maximum score of 110.
Businesses throughout the DoD supply chain have expressed concern and confusion, uncertain about how to proceed. While the new requirements may seem daunting, especially if POA&Ms remain unaddressed, companies can follow a simple three-step process to complete the necessary Basic Assessment reporting.
Step #1: Get a CAGE Code
Organizations in the U.S. and its territories must obtain a Commercial and Government Entity (CAGE) code from the Defense Logistics Agency in order to do business with the Federal Government. The five-character alphanumeric identifier supports a variety of procurement and acquisition processes, and must be submitted to SPRS along with the Basic Assessment score. Members of the DIB that contract directly with the DoD should already have one or more CAGE codes tied to segments of their enterprises (and thus to SSPs) throughout their enterprises. Companies further down the DoD supply chain may not possess a CAGE code but can get one through the System for Award Management. Organizations outside of the U.S. and its territories can acquire a NATO CAGE (NCAGE) code to serve the same purpose.
Step #2: Conduct and Score the Basic Assessment
Organizations that store or handle CUI previously should have completed a NIST SP 800-171 self-assessment. However, any organization with POA&Ms will want to reassess and update their SSPs to achieve the best possible score. The Basic Assessment can be completed manually, following the scoring guidelines for each partially or unimplemented control published by the DoD. Those businesses without the bandwidth or expertise to conduct and score a Basic Assessment can turn to a product that helps them execute the Assessment, calculate their score, and create the Basic Assessment report necessary for submission to satisfy the Interim Rule’s requirements.
Step #3: Submit to SPRS
All members of the DIB subject to DFARS 252.204-7019 and -7020 must update entries on SPRS at least once every three years. Each entry consists of the date of the Basic Assessment, the score, the CAGE code(s) mapped to the relevant SSPs, and the date by which they will realize the perfect score of 110. The Federal Government grants access to SPRS via single sign-on through its Procurement Integrated Enterprise Environment (PIEE). Organizations can register for a PIEE account with an SPRS Cyber Vendor Role, login to PIEE, click on the SPRS icon, select the NIST 800-171 Assessment option, and follow the prompts to enter the necessary information.
The reporting process to meet the Interim Rule’s mandates may not be complicated, but the stakes with respect to the Basic Assessment’s scoring and commitments are high. Failure to enter the relevant information on SPRS likely will preclude companies from participating on future contracts out for bid that contemplate the exchange of CUI. The Interim Rule also includes options for the DoD to conduct more in-depth Medium and High Assessments to verify the accuracy of an organization’s Basic Assessment and/or confirm it met its commitments for full NIST SP 800-171 compliance ahead of its self-imposed deadline. Discrepancies don’t only raise risk and liability, but they also could impact current and future business engagements, and potentially could even lead to prosecution under the False Claims Act.
The clock is ticking – businesses need to get moving right away. We’re here to help.
To help you get started on meeting the November 30th deadline right now, we’re offering a 30 Day Free Trial to Certification Assistant. Try it today for free, and discover an easier path to compliance.